Free Email Verifier

How to set up SPF, DKIM, and DMARC records

· 4 min read

To set up SPF, DKIM, and DMARC, add three DNS TXT records at your domain host. SPF lists the servers allowed to send your mail. DKIM adds a cryptographic signature your provider generates. DMARC tells receivers what to do with mail that fails. Publish, then validate each record before sending.

What do SPF, DKIM, and DMARC actually do?

These three records prove your mail is legitimate. SPF authorizes sending servers by IP. DKIM signs each message with a private key so receivers can verify it was not altered. DMARC ties the two together and sets a policy for failures, plus sends you reports. Together they cut spoofing and lift inbox placement.

Receivers like Gmail and Yahoo now expect all three, especially from bulk senders. Miss them and your mail lands in spam or gets rejected before anyone reads it. The setup is a one-time job in your DNS panel, and the values below are safe starting points you can copy. Here is what each record covers.

RecordDNS typeHost / nameWhat it controls
SPFTXT@ (root domain)Which servers may send for your domain
DKIMTXTselector._domainkeyCryptographic signature on each message
DMARCTXT_dmarcPolicy and reports for authentication failures

How to set up an SPF record

SPF is a single TXT record on your root domain. It names every service allowed to send mail as you. Start with the sources you actually use: your mailbox provider, plus any marketing or transactional tools. A Google Workspace record reads: v=spf1 include:_spf.google.com ~all

If you send through more than one provider, add each include before the all mechanism. Google plus a transactional service might read: v=spf1 include:_spf.google.com include:sendgrid.net ~all. Two rules matter. Keep it to one SPF record per domain, since two records invalidate each other. Stay under 10 DNS lookups, or strict receivers return a permerror. The ~all ending is a soft fail, the safe default while you test. Switch to -all once every sender is listed.

How to set up a DKIM record

DKIM is generated by your sending platform, not typed by hand. In the provider admin panel, turn on DKIM or email authentication. It hands you a selector and a public key. You publish the key as a TXT record (sometimes a CNAME), and the provider keeps the matching private key secret.

The host follows the pattern selector._domainkey.yourdomain.com. A Google record uses the host google._domainkey with a value of v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQ (a long base64 key). Paste the value exactly as shown. One missing character breaks the signature. Some hosts split long keys into two quoted strings, which is fine. After publishing, send a test message to yourself and look for dkim=pass in the headers.

How to set up a DMARC record

DMARC lives at _dmarc.yourdomain.com as one more TXT record. It only helps once SPF or DKIM aligns with your visible From domain. Start in monitor mode so you can watch traffic without blocking anything: v=DMARC1; p=none; rua=mailto:[email protected]

Here p=none means take no action, only report. The rua address collects daily aggregate reports showing who sends as you and whether they pass. Read them for two to four weeks. Once your real senders pass cleanly, tighten the policy step by step: move to v=DMARC1; p=quarantine; rua=mailto:[email protected]; pct=100, then to p=reject. Reject drops spoofed mail outright, which is the whole point.

Check your list right now, free

10 checks a day with no signup. 100 a day with just your email.

Verify emails free

Authentication stops spoofing, but it does not clean your list. Even perfectly signed mail bounces when the address is dead, and hard bounces drag down the sender reputation you just protected. Before a send, run your list through the Free Email Verifier to drop invalid and risky addresses, with the first daily checks free and no signup. If you would rather hand off list building and outreach entirely, Synthisia runs done-for-you pipeline. A clean list plus passing SPF, DKIM, and DMARC is what keeps you in the inbox.

How do you validate SPF, DKIM, and DMARC?

Send one test message to an address you control at a different provider, then open the raw headers. Look for spf=pass, dkim=pass, and dmarc=pass in the Authentication-Results line. You can also query each record directly with dig or an online checker. All three should return the exact values you published.

  1. Check SPF: run dig txt yourdomain.com and confirm a single v=spf1 record with every sender included.
  2. Check DKIM: run dig txt selector._domainkey.yourdomain.com and confirm the public key returns in full.
  3. Check DMARC: run dig txt _dmarc.yourdomain.com and confirm the policy and rua address are present.
  4. Send a live test to Gmail and Outlook, open the headers, and confirm all three show pass.

Common setup mistakes to avoid

A few errors show up again and again. Two SPF records on one domain, which invalidates both. Jumping straight to p=reject before checking reports, which silently drops real mail. Forgetting to update SPF and DKIM when you add a new sending tool. And placing a record on the wrong host, like the full domain instead of _dmarc. Fix these before you tighten any policy.

DNS changes take time. Most records propagate within an hour, but allow up to 48 hours before you decide something is broken. Recheck after propagation, not the second you hit save. A record that looks wrong at minute one often reads perfectly an hour later.

Set them in order: SPF first, DKIM next, DMARC last in monitor mode. Watch the reports, then tighten to reject. With all three passing and a clean, verified list, your mail authenticates, spoofers get blocked, and your real campaigns land where they should.